Question

How does the EVM having a limited number of &#x27;call steps&#x27; stop a repeating attack from working if it tries to go too deep?

Accepted Answer

The term &#x27;call steps&#x27; in the Ethereum Virtual Machine (EVM) primarily refers to the consumption of &#x27;gas,&#x27; which is a unit of computational effort. Every operation performed by a smart contract, including data manipulation, calculations, and especially external function calls to other contracts, consumes a specific amount of gas. Each transaction submitted to the Ethereum network must specify a &#x27;gas limit,&#x27; which is the maximum amount of gas that transaction is permitted to consume. A repeating attack, such as a re-entrancy attack, works by a malicious contract repeatedly calling back into a vulnerable contract before the original execution context has completed. Each external call initiated by the malicious contract, and all subsequent operations within that nested call, consumes gas. As the attacker attempts to make more and more recursive calls, thereby &#x27;going too deep,&#x27; the cumulative gas cost for these operations quickly accumulates. If the total gas required for these repeated calls exceeds the transaction&#x27;s initial gas limit or the remaining gas available within the current execution frame, the EVM triggers an &#x27;out-of-gas&#x27; (OOG) error. When an OOG error occurs, the EVM immediately reverts the entire transaction, undoing all state changes that occurred during that transaction. This reversion effectively prevents the repeating attack from successfully altering the blockchain state or stealing assets, as any gains from earlier recursive calls are nullified. This gas mechanism acts as a fundamental resource constraint, preventing infinite recursion or excessive computational burden on the network. In addition to gas, the EVM also enforces a hard &#x27;call depth limit&#x27; (currently 1024), meaning a chain of nested external contract calls cannot exceed this depth. While gas typically prevents deep attacks first due to its dynamic consumption, the call depth limit serves as an ultimate safety net against extremely deep recursion.

Home → All Courses → Engineering and Technology Courses → Smart Contract Auditor Certification → Flashcard

How does the EVM having a limited number of 'call steps' stop a repeating attack from working if it tries to go too deep?